Home > Vulnerability Database > CVE-2025-53358

Mend.io Vulnerability Database

CVE-2025-53358

Good to know:

Date: July 2, 2025

kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the index_fn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them, enabling attackers to traverse directories (e.g. ../../../../../.env) and exfiltrate sensitive files. This issue has been patched via commit 37cdc28, in version 0.10.7 which has not been made public at time of publication.

Severity Score

6.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-53358

Url: https://github.com/Cinnamon/kotaemon/pull/755

Url: https://github.com/Cinnamon/kotaemon/commit/37cdc28ceb46e505d25221584daf1fe61e26b2cc

Url: https://github.com/Cinnamon/kotaemon/security/advisories/GHSA-jw4w-xcvf-jq5x

Url: https://www.mend.io/vulnerability-database/CVE-2025-53358

Severity Score

6.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version https://github.com/Cinnamon/kotaemon.git - no_fix

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-53358

Good to know:

Date: July 2, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?